1. Purpose
The purpose of this policy is to define the acceptable installation and use of video security cameras.
2. Policy
Video security cameras will only be installed in public areas of the University and for the following reasons:
- to assist in efforts to maintain the personal safety of students, faculty, staff, and others who use University facilities;
- to assist with efforts to protect University property and the property of others;
- to deter crime and violations of University policy; and
- to increase the likelihood that persons who commit crimes or breach University policies are identified.
Images from these cameras will not be used or disclosed for purposes other than those described in this policy, except as required by law.
3. Responsibilities
The Director of Administrative Services, or their designate, in consultation with Computing Services is responsible for selecting the video security cameras and software; for installing the cameras; for storing the images; and for preventing unauthorized access to the images.
The Vice-President Finance and Administration is responsible for:
a. authorizing the installation of video security cameras;
b. consulting with the Deans and Directors who must be consulted (as per section 4) before these cameras are installed;
c. authorizing the retention of stored images beyond 30 days; and
d. authorizing the release of stored images to law enforcement authorities for the purposes of criminal investigations and/or other investigations as deemed necessary to assist with the enforcement of University policies except when investigations concern the conduct of students.
The Vice-President International and Student Affairs is responsible for authorizing the release of stored images to law enforcement authorities for the purposes of criminal investigation and/or other investigations as deemed necessary to assist with the enforcement of University policies when investigations concern the conduct of students.
4. Camera Installations
Requests to install security cameras will be submitted to the Director of IT who will forward and consult with the Vice-President, Finance and Administration.
Security cameras will not be installed inside buildings until after consultation with the Deans and / or Directors who use the spaces where the cameras will be located.
However, the Vice-President Finance and Administration may authorize the temporary installation of security cameras for the purpose of investigations without such consultation although, when the investigation concerns the conduct of students, the Vice-President International and Student Affairs must also authorize the installation.
5. Access to Images
Computing Services will permit access to real-time and stored images to the following groups only;
- to Computing Services staff who must have access for that Department to meet its responsibilities under this policy, and
- to those who are granted such access by the Vice-President, Finance and Administration.
No person who has access to real-time and stored images will use that access for any purpose other than the purpose for which the cameras were installed, or the specific reason they have been given access.
Access to stored images will be tracked by the system.
6. Storage and Retention
All images will be stored for a minimum of 7 days and a maximum of 30 days unless storage for a longer period is authorized by the Vice-President, Finance and Administration for the purposes of an investigation or of proceedings related thereto, in which cases the images will be retained until the conclusion of the investigation and proceedings.
Servers and stored images will be located in a room where access is restricted to authorized staff.
Electronic Data Retention and Destruction Procedure
1. Background & Purpose
1.1 The University has electronic information, including records which are defined as personal information under the Right to Information and Protection of Privacy Act (“RTIPPA”) and has obligations regarding the safe keeping of this information.
1.2 Records can be categorized as low, medium, or high risk where risk is measured based on the impact to the University or a 3rd party if the record was to be inappropriately accessed.
1.3 This document sets guidelines for Users on the retention, destruction and/or sanitization of 91ү Electronic Information (data destruction).
1.4 The Vice President Finance and Administration has issued this document under the authority of the Use and Security of Electronic Information and Systems Policy. Questions about this standard may be referred to helpdesk@mta.ca.
2. Responsibilities of Users
2.1 Users should only retain information as long as required for its intended use.
2.2 Prior to deleting electronic information users must take into consideration the requirements of the Archives Policy 6300. Consult with the University Archivist if in doubt.
2.3 Users are responsible for ensuring that 91ү Electronic Information is always removed from a Device (Desktop, laptop, tablet, smart phone) before the device is transferred to another individual, sold, or discarded. The information needs to be removed even if it does not appear to be Medium, or High Risk. Users should contact the Helpdesk (helpdesk@mta.ca) if they require data destruction assistance.
3. Responsibilities of Service Providers
3.1 Where a third party Service Provider has received copies of 91ү Electronic Information for the purpose of 91ү work, the Service Provider must destroy all of the information in its possession within seven days of the completion of the project or termination of the agreement, whichever first occurs, using destruction methods compliant with this policy and give the 91ү contract owner a signed confirmation of destruction.
3.2 Where data destruction is not feasible, The 91ү contract owner may consult with Computing Services to determine appropriate alternate controls.
4. Approved Destruction Methods
4.1 Any of the following are approved methods of data destruction:
- 4.1.1 using a software utility, such as "Secure Erase", that erases, overwrites or encrypts the data;
- 4.1.2 magnetically erasing (degaussing) the data;
- 4.1.3 formatting a Device after encrypting it; or
- 4.1.4 using a machine that physically deforms or destroys the Device to prevent the data from being recovered.
4.2 Using the “Empty Recycle Bin/Trash”, “Delete”, “Remove”, and “Format” operating system commands do not destroy data and therefore are not acceptable methods for preparing media for transfer or disposal.
4.3 Data destruction methods must comply with the minimum standards set out in the IT Media Sanitization (ITSP.40.006 v2) publication issued by the Government of Canada.
4.4 Wherever encryption is used before formatting a device, it must be AES-128/256 bit encryption with strong passwords or passphrase. See Password Policy and Procedures - 7002
4.5 Questions about whether a mode of destruction is an approved method can be directed to helpdesk@mta.ca
5. Special Cases
5.1 To reuse flash memory devices (e.g. SD memory cards, USB drives) containing 91ү Electronic Information, the User can encrypt the whole device. After encryption, the User can format the device and reuse it safely.
5.2 Smartphones must have all data removed (factory reset) prior to being transferred to another person or being turned in for recycling; note that some smartphones have removable memory cards that need to be treated the same as flash memory devices and securely sanitized separate from a phone factory reset. Users can contact the CSD Helpdesk if they are uncertain of how to perform a factory reset.
5.3 Other imaging devices with a hard drive (e.g. photocopiers, printers, fax machines, etc.) are also subject to the data destruction requirements; additionally, where possible, these devices should have image overwriting enabled. This is a function where scanned or electronic images of a document are immediately overwritten using a data destruction technique. This function is known by various names, e.g. “Immediate Image Overwrite” (Xerox), “Hard Disk Drive Erase Feature” (Canon), “Hard Disk Overwrite Feature” (HP)
Related Documents Password Policy and Procedures - 7002